[Snort-users] Bleeding Snort rules and Sourcefire Official rules

Eric Hines eric.hines at ...8860...
Tue Oct 25 13:43:18 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hinsuk,

Consider the Bleeding-edge rules to augment your rules from snort.org.
In some cases they fill some gaps that may exist in the Snort.org
signature base (e.g. Virus and Spyware).. The bleeding-edge spyware
signatures are tremendously accurate, we have several federal customers
that rely on them heavily for tracking down spyware infected machines.

As the name states, consider them to be on the bleeding-edge of things.
Test your rules before applying them enterprise wide.

In summary, no Snort deployment is complete without rulesets from
bleeding-edge :)


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- ---------------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- ---------------------------------------------------
Headquarters:		1095 Pingree Road
			Suite 213
			Crystal Lake, IL 60014

Virginia Office:	4524 Waverly Crossing Lane
(DoD/Intelligence)	Chantilly, Va. 20151 	
			TS/SCI Cleared Personnel
- ---------------------------------------------------
Web Site:		http://www.appliedwatch.com
Tel:			(877) 262-7593
Direct:			(877) 262-7593 ext:327
Cell:			(847) 456-6785
- ---------------------------------------------------
- -


Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
> HinSuk,
> 
>  
> 
> I run both sets of rules.  I do not find too much overlap ? usually when
> one is turned into an ?official? rule ? then they pull it out of the
> bleeding set pretty quickly. 
> 
>  
> 
> Krisa
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *From:* snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] *On Behalf Of
> *hchlai at ...2792...
> *Sent:* Tuesday, October 25, 2005 3:06 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Bleeding Snort rules and Sourcefire Official rules
> 
>  
> 
> Hi Snorters,
> 
>  
> 
> How is Bleeding Snort rules compare to Sourcefire Official rules in
> terms of accuracy in detecting intrusion attempts? Which set of rules
> are more practical to implement in a corporate environment? I'm thinking
> of implementing both sets of rules but I am afraid to run into many
> overlap alerts, has anybody try this before? What's the result is like?
> 
>  
> 
> Many thanks!
> 
>  
> 
> HinSuk
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *Look What The New Netscape.com Can Do!*
> Now you can preview dozens of stories and have the ones you select
> delivered to you without ever leaving the Top Home Page. And the new
> Tool Box gives you one click access to local Movie times, Maps, White
> Pages and more. Click to test drive
> <%20http://netcenter.netscape.com/netcenter/>.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDXpeDobrbO5ZoXNARAstMAKCH8d4IneGNiDbC2U9Fvw0zRf0E6ACeLjw6
MFWs7Qh/qli6SGO4p05LZSs=
=iBW0
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list